Claims: 

1 . A system for network content monitorii^, comprising: 

a transport data monitor, connectable to a point in a network, for 
monitoring data being transported past said point, 

a description extractor, associated with said transport data monitor, 
for extracting descriptions of said data being transported, 

a database of at least one preobtained description of content whose 
movements it is desired to monitor, and 

a comparator for determining whether said extracted description 
corresponds to any of said at least one preobtained descriptions, thereby to 
determine whether said data being transported comprises any of said content 
whose movements it is desired to monitor. 

2. A system according to claim 1, wherein said description extractor 
is operable to extract a pattern identifiably descriptive of said data being 
transported. 

3. A system according to claim 1, wherein said description extractor 
is operable to extract a signature of said data being transported. 

4. A system according to claim 1, wherein said description extractor 
is operable to extract characteristics of said data being transported. 
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5. A system according to claim 1 , wherein said description extractor 
is operable to extract encapsulated meta information of said data being 
transported. 



6. A system according to claim 1 , wherein said description extractor 
is operable to extract multi-level descriptions of said data being transported. 

7. A system according to claim 6, wherein said multi-level 
description is comprises of a pattern identifiably descriptive of said data being 
transported. 

8. A system according to claim 6, wherein said multi-level 
description is comprises a signature of said data being transported. 

9. A system according to claim 6, wherein said multi-level 
description comprises characteristics of said data being transported. 

10. A system according to claim 6, wherein said multi-level 
description comprises encapsulated meta-information of said data being 
transported. 
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11. A system according to claim 1 , wherein said description 
extractor is a signature extractor, for extracting a derivation of said data, said 
derivation being a signature indicative of content of said data being transported, 
and wherein said at least one preobtained description is a preobtained signature. 



12. A system according to claim 1 , said network being a 
packet-switched network and said data being transported comprising passing 
packets. 



13. A system according to claim 1 , said netv\wk being a 
packet-switched network, said data being transported comprising passing 
packets and said transport data monitor being operable to monitor header 
content of said passing packets. 



14. A system according to claim 1, said network being a 
packet-switched network, said data being transported comprising passing 
packets, and said transport data extractor being operable to monitor header 
content and data content of said passing packets. 

15. A system according to claim 1 , wherein said transport data 
monitor is a software agent, operable to place itself on a predetermined node of 
said network. 
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16. A system according to claim 1 , comprising a plurality of 
transport data monitors distributed over a plurality of points on said network. 



1 7. A system according to claim 1 , said transport data monitor 
5 further comprising a multimedia filter for determining whether passing content 
comprises multimedia data and restricting said signature extraction to said 
multimedia data. 



18. A system according to claim 1 , said data being transported 
10 comprising a plurality of protocol layers, the system fiarther comprising a layer 
analyzer connected between said transport data monitor and said signature 
extractor, said layer analyzer comprising analyzer modules for at least two of 
said layers. 

15 19. A system according to claim 1 8, said layer analyzer 

comprising separate analyzer modules for respective layers. 

20. A system according to claim 1 8, further comprising a 
traffic associator, connected to said analyzer modules, for using output from 
20 said analyzer modules to associate transport data from different soxirces as a 
single communication. 
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21 . A system according to claim 20, wherein said sources are 
at least one of a group comprising: data packets, communication channels, data 
monitors, and pre correlated data. 

22. A system according to claim 1 8, comprising a traffic state 
associator connected to receive output from said layer analyzer modules, and to 
associate together output, of different layer analyzer modules, which belongs to 
a single communication. 

23. A system according to claim 1 8, wherein at least one of 
said analyzer modules comprises a multimedia filter for determining whether 
passing content comprises multimedia data and restricting said signature 
extraction to said multimedia data. 



24. A system according to claim 1 8, wherein at least one of 

said analyzer modules comprises a compression detector for determining 
whether said extracted transport data is compressed. 



25. A system according to claim 24, further comprising a 
decompressor, associated with said compression detector, for decompressing 
said data if it is determined that said data is compressed. 
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26. A system according to claim 24, further comprising a 

description extractor for extracting a description directly from said compressed 
data. 

5 27. A system according to claim 1 8, wherein at least one of 

said analyzer modules comprises an encryption detector for determining 
whether said transport data is encrypted. 

28. A system according to claim 21, wherein said encryption 
1 0 detector comprises an entropy measurement unit for measuring entropy of said 

monitored transport data. 

29. A system according to claim 28, wherein said encryption 
detector is set to recognize a high entropy as an indication that encrypted data 

15 is present. 

30. A system according to claim 29, wherein said encryption 
detector is set to use a height of said measured entropy as a confidence level of 
said encrypted data indication. 

20 

31. A system according to claim 1 8, further comprising a 
format detector for determining a format of said monitored transport data. 
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32. A system according to claim 3 1 , ftirther comprising a 
media player, associated with said format detector, for rendering and playing 
said monitored transport data as media according to said detected format, 
thereby to place said monitored transport data in condition for extraction of a 
signature which is independent of a transportation format. 

33. A system according to claim 3 1 , further comprising a 
parser, associated with said format detector, for parsing said monitored 
transport media, thereby to place said monitored transport data in condition for 
extraction of a signature which is independent of a transportation format. 

34. A system according to claim 1 , comprising a payload 
extractor located between said transport monitor and said signature extractor 
for extracting content carrying data for signature extraction. 

35. A system according to claim 1, wherein said signature 
extractor comprises a binary function for applying to said monitored transport 
data. 

36. A system according to claim 1 , wherein said network is a 
packet network, and wherein a buffer is associated with said signature extractor 
to enable said signature extractor to extract a signature from a buffered batch of 
packets. 
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37. A system according to claim 35, wherein said binary 
function comprises at least one hash function. 

5 38. A system according to claim 37, wherein said binary 

fimction comprises a first, fast, hash fiinction to identify an offset in said 
monitored transport data and a second, full, hash fimction for application to 
said monitored transport data using said offset. 

10 39. A system according to claim 11, wherein said signature 

extractor comprises an audio signature extractor for extracting a signature from 
an audio part of said monitored data being transported. 

40. A system according to claim 1 1 , wherein said signature 

15 extractor comprises a video signature extractor for extracting a signature firom a 
video part of said monitored data being transported. 

41 . A system according to claim 1 1 , said signature extractor 
comprising a pre-processor for pre-processing said monitored data being 

20 transported to improve signature extraction. 

42. A system according to claim 41 , said preprocessor 
operable to carry out at least one of a group of pre-processing operations 
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comprising: removing erroneous data, removing redundancy, and canonizing 
properties of said monitored data being transported. 

43 . A system according to claim 1 1 , wherein said signal 

5 extractor comprises a binary signal extractor for initial signature extraction and 
an audio signature extractor for extracting an audio signature in the event said 
initial signature extraction fails to yield an identification. 

44. A system according to claim 1 1 , wherein said signal 

10 extractor comprises a binary signal extractor for initial signature extraction and 
a text signature extractor for extracting a text signature in the event said initial 
signature extraction fails to yield an identification. 

45. A system according to claim 1 1 , wherein said signal 

15 extractor comprises a binary signal extractor for initial signatxire extraction and 
a code signature extractor for extracting a code signature in the event said 
initial signature extraction fails to yield an identification. 

46. A system according to claim 1 1 , wherein said signal 

20 extractor comprises a binary signal extractor for initial signature extraction and 
a data content signature extractor for extracting a data content signature in the 
event said initial signature extraction fails to jdeld an identification. 
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47. A system according to claim 11, wherein said signature 
extractor is operable to use a plurality of signature extraction approaches. 

48. A system according to claim 47, further comprising a 

5 combiner for producing a combination of extracted signatures of each of said 
approaches. 

49. A system according to claim 47, wherein said comparator 
is operable to compare using signatures of each of said approaches and to use 

10 as a comparison output a highest result of each of said approaches. 

50. A system according to claim 1 1 , wherein said signal 
extractor comprises a binary signal extractor for initial signature extraction and 
a video signature extractor for extracting a video signature in the event said 

15 initial signature extraction fails to yield an identification. 

51. A system according to claim 1 1 , wherein there is a 
plurality of preobtained signatures and wherein said comparator is operable to 
compare said extracted signature with each one of said preobtained signatures, 

20 thereby to determine whether said monitored transport data belongs to a 
content source which is the same as any of said signatures. 



62 



52. A system according to claim 5 1 , said comparator being 
operable to obtain a cumulated number of matches of said extracted signature. 

53. A system according to claim 5 1 , wherein said comparator 
is operable to calculate a likelihood of compatibility with each of said 
preobtained signatures and to output a highest one of said probabilities to an 
unauthorized content presence determinator connected subsequently to said 
comparator. 

54. A system according to claim 52, said comparator being 
operable to calculate a likelihood of compatibility with each of said 
preobtained signatures and to output an accumulated total of matches which 
exceed a threshold probability level. 

55. A system according to claim 52, said comparator being 
operable to calculate the likelihood of compatibility with each of said 
preobtained signatures and to output an accumulated likelihood of matches 
which exceed a threshold probability level. 

56. A system according to claim 5 1 , comprising a sequential 
decision unit associated with said comparator, being operable to use a 
sequential decision test to update a likelihood of the presence of given content, 
based on at least one of the following: successive matches made by said 
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comparator, context related parameters, other content related parameters and 
outside parameters. 



57. A system according to claim 53, wherein said 
5 unauthorized content presence determinator is operable to use the output of 
said comparator to determine whether xmauthorized content is present in said 
transport and to output a positive decision of said presence to a subsequently 
connected policy determinator. 

10 58. A system according to claim 51, wherein an unauthorized 

content presence determinator is connected subsequently to said comparator 
and is operable to use an output of said comparator to determine whether 
unauthorized content is present in said data being transported, a positive 
decision of said presence being output to a subsequently connected policy 

15 determinator. 

59. A system according to claim 58, wherein said policy 
determinator comprises a rule-based decision making unit for producing an 
enforcement decision based on output of at least said unauthorized content 

20 presence determinator. 

60. A system according to claim 1, wherein said policy 
determinator is operable to use said rule-based decision making unit to select 
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between a set of outputs including at least some of: taking no action, 
performing auditing, outputting a transcript of said content, reducing 
bandwidth assigned to said transport, using an active bitstream interference 
technique, stopping said transport, preventing printing, preventing 
5 photocopying, reducing quality of the content, removing sensitive parts, 
altering the content, adding a message to the said content, and preventing of 
saving on a portable medium, 

61. A system according to claim 60, wherein said rule-based 
10 decision making unit is operable to use a likelihood level of a signature 

identification as an input in order to make said selection. 

62. A system according to claim 61, further comprising a 
bandwidth management unit connected to said policy determinator for 

15 managing network bandwidth assignment in accordance with output decisions 
of said policy determinator. 

63. A system according to claim 1, further comprising an audit 
unit for preparing and storing audit reports of transportation of data identified 

20 as corresponding to content it is desired to monitor. 

64. A system according to claim 1, comprising a transcript 
output unit for producing transcripts of content identified by said comparison. 
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65. A system according to claim 27, ftirther comprising a 
policy determinator connected to receive outcomes of said encryption 
determinator and to apply rule-based decision making to select between a set of 
5 outputs including at least some of: taking no action, performing auditing, 
outputting a transcript of said content, reducing bandwidth assigned to said 
transport, using an active bitstream interference technique, and stopping said 
transport. 

10 66. A system according to claim 65, wherein said rule-based 

decision-making comprises rules based on confidence levels of said outcomes. 

67. A system according to claim 65, wherein said policy 
determinator is operable to use an input of an amount of encrypted transport 
1 5 from a given user as a factor in said rule based decision making. 



68. A system according to claim 30, further comprising a 
policy determinator connected to receive positive outcomes of said encryption 
determinator and to apply rule-based decision making to select between a set of 
20 outputs including at least some of: taking no action, performing auditing, 
outputting a transcript of said content, reducing bandwidth assigned to said 
transport, using an active bitstream interference technique, and stopping said 
transport, said policy determinator operable to use: 



66 



an input of an amount of encrypted transport from a given user, and 
said confidence level, as factors in said rule based decision making. 

69. A system for network content control, comprising: 

5 a transport data monitor, cormectable to a point in a network, for 

monitoring data being transported past said point, 

a signature extractor, associated with said transport data monitor, for 

extracting a derivation of payload of said monitored data, said derivation being 

indicative of content of said data, 
10 a database of preobtained signatures of content whose movements it 

is desired to monitor, 

a comparator for comparing said derivation with said preobtained 

signatures, thereby to determine whether said monitored data comprises any of 

said content whose movements it is desired to control, 
15 a decision-making imit for producing an enforcement decision, using 

the output of said comparator, and 

a bandwidth management imit cormected to said decision-making 

unit for managing network bandwidth assignment in accordance with output 

decisions of said policy determinator, thereby to control content distribution 
20 over said network. 

70. A system according to claim 69, wherein said decision- 
making unit is a rule-based decision-making unit. 
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71. A system according to claim 70, wherein said transport 

data monitor is a software agent, operable to place itself on a predetermined 
node of said network. 



72. A system according to claim 70, comprising a plurality of 

transport data monitors distributed over a plurality of points on said network. 



73. A system according to claim 70, said transport data 
1 0 monitor fiirther comprising a multimedia filter for determining whether passing 
content comprises multimedia data and restricting said signature extraction to 
said multimedia data. 



74. A system according to claim 70, said transport data 
15 comprising a plurality of protocol layers, the system further comprising a layer 
analyzer connected between said transport data monitor and said signature 
extractor, said layer analyzer comprising analyzer modules for at least two of 
said layers. 



20 75. A system according to claim 74, comprising a traffic state 

associator connected to receive output from said layer analyzer modules, and to 
associate together output of different layer analyzer modules which belongs to 
a single communication. 
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76. A system according to claim 74, one of said analyzer 
modules comprising a multimedia filter for determining whether passing 
content comprises multimedia data and restricting said data extraction to said 

5 multimedia data. 

77. A system according to claim 74, one of said analyzer 
modules comprising a compression detector for determining whether said 
monitored transport data is compressed. 

78. A system according to claim 77, further comprising a 
decompressor, associated with said compression detector, for decompressing 
said data if it is determined that said data is compressed. 

79. A system according to claim 74, one of said analyzer 
modules comprising an encryption detector for determining whether said 
monitored transport data is encrypted. 

80. A system according to claim 79, wherein said encryption 
20 detector comprises an entropy measxirement unit for measuring entropy of said 

monitored transport data. 
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81. A system according to claim 80, said encryption detector 
being set to recognize a high entropy as an indication that encrypted data is 
present. 

82. A system according to claim 81 , said encryption detector 
being set to use a height of said measured entropy as a confidence level of said 
encrypted data indication. 

83 . A system according to claim 74, further comprising a 
format detector for determining a format of said monitored transport data. 

84. A system according to claim 83, further comprising a 
media player, associated with said format detector, for rendering and playing 
said monitored transport data as media according to said detected format, 
thereby to place said extracted transport data in condition for extraction of a 
signature which is independent of a transportation format. 

85. A system according to claim 83, further comprising a 
parser, associated with said format detector, for parsing said monitored 
transport media, thereby to place said extracted transport data in condition for 
extraction of a signature which is independent of a transportation format. 
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86. A system according to claim 70, wherein said signature 
extractor comprises a binary function for applying to said extracted transport 



87. A system according to claim 86, wherein said binary 
function comprises at least one hash function. 

88. A system according to claim 87, wherein said binary 
function comprises a first, fast, hash function to identify an offset in said 
extracted transport data and a second, full, hash function for application to said 
extracted transport data using said offset. 

89. A system according to claim 70, wherein said signature 
extractor comprises an audio signature extractor for extracting a signature from 
an audio part of said extracted transport data. 

90. A system according to claim 70, wherein said signature 
extractor comprises a video signature extractor for extracting a signature from a 
video part of said extracted transport data. 

91 . A system according to claim 70, wherein said comparator 
is operable to compare said extracted signature with each one of said 
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preobtained signatures, thereby to determine whether said monitored transport 
data belongs to a content source which is the same as any of said signatures. 

92. A system according to claim 9 1 , wherein said comparator 
is operable to calculate a likelihood of compatibility with each of said 
preobtained signatures and to output a highest one of said probabilities to an 
unauthorized content presence determinator connected subsequently to said 
comparator. 

93. A system according to claim 92, wherein said 
unauthorized content presence determinator is operable to use the output of 
said comparator to determine whether unauthorized content is present in said 
transport and to output a positive decision of said presence to a subsequently 
connected policy determinator. 

94. A system according to claim 9 1 , wherein an unauthorized 
content presence determinator is connected subsequently to said comparator 
and is operable to use an output of said comparator to determine whether 
unauthorized content is present in said transport, a positive decision of said 
presence being output to a subsequently connected poUcy determinator. 

95. A system according to claim 94, wherein said policy 
determinator comprises said rule-based decision making unit for producing an 
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enforcement decision based on output of at least said unauthorized content 
presence determinator. 

96. A system according to claim 70, wherein said policy 
determinator is operable to use said rule-based decision making unit to select 
between a set of outputs including at least some of: taking no action, 
performing auditing, outputting a transcript of said content, reducing 
bandwidth assigned to said transport, using an active bitstream interference 
technique, stopping said transport, not allowing printing of said content, not 
allowing photocopying of said content and not allow saving of said content on 
portable media. 

97. A system according to claim 96, said rule-based decision 
making unit is operable to use a likelihood of a signature identification as an 
input in order to make said selection. 

98. A system according to claim 70, further comprising an 
audit unit for preparing and storing audit reports of transportation of data 
identified as corresponding to content it is desired to monitor. 

99. A system according to claim 79, further comprising a 
policy determinator connected to receive positive outcomes of said encryption 
determinator and to apply rule-based decision of said rule-based decision 
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making unit to select between a set of outputs including at least some of: taking 
no action, performing auditing, outputting a transcript of said content, reducing 
bandwidth assigned to said transport, using an active bitstream interference 
technique, stopping said transport, reducing quality of the content, removing 
sensitive parts, altering the content, adding a message to said content, not 
allowing printing of said content, not allowing photocopying of said content 
and not allow saving of said content on portable media. 

100. A system according to claim 99, said policy determinator 

being operable to use an input of an amount of encrypted transport from a 
given user as a factor in said rule based decision making. 

101. A system according to claim 82, further comprising a 
policy determinator connected to receive positive outcomes of said encryption 
determinator and to apply rule-based decision making of said rule-based 
decision-making unit to select between a set of outputs including at least some 
of: taking no action, performing auditing, outputting a transcript of said 
content, reducing bandwidth assigned to said transport, using an active 
bitstream interference technique, stopping said transport, reducing quality of 
the content, removing sensitive parts, altering the content, adding a message to 
said content, not allowing printing of said content, not allowing photocopying 
of said content, and not allowing saving of said content on portable media. 
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102. A system according to claim 101, said policy determinator 
being operable to use: 

an input of an amount of encrypted transport from a given user, and 
said confidence level, 

as factors in said rule based decision making. 

103. A system according to claim 69, comprised within a 

firewall. 

104. A system according to claim 103, said transport data 
monitor being operable to inspect incoming and outgoing data transport 
crossing said firewall. 

105. A system according to claim 69, operable to define a 
restricted network zone within said network by inspecting data transport 
outgoing from said zone. 

106. A system according to claim 69, comprising certification 
recognition functionality to recognize data sources as being trustworthy and to 
allow data transport originating from said trustworthy data sources to pass 
through without monitoring. 
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107. A system according to claim 69, comprising certification 
recognition fiinctionality to recognize data sources as being trustworthy and to 
allow data transport originating from said trustworthy data sources to pass 
through with monitoring modified on the basis of said data source recognition. 

5 

108. A system according to claim 69, comprising certification 
recognition functionality to recognize data sources as being trustworthy and to 
allow data transport originating from said trustworthy data sources to pass 
through with said decision making being modified on the basis of said data 

10 source recognition. 

109. A method of monitoring for distribution of predetermined 
content over a network, the method comprising: 

obtaining extracts of data from at least one monitoring point on said 

1 5 network, 

obtaining a signature indicative of content of said extracted data, 
comparing said signature with at least one of a prestored set of 
signatures indicative of said predetermined content, 

using an output of said comparison as an indication of the presence 
20 or absence of said predetermined content. 

110. A method of confrolling the disfribution of predetermined 
content over a network, the method comprising: 
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obtaining extracts of data from at least one monitoring point on said 

network, 

obtaining a signature indicative of content of said extracted data, 
comparing said signature with at least one of a prestored set of 
5 signatures indicative of said predetermined content, 

using an output of said comparison in selecting an enforcement 
decision, and 

using said enforcement decision in bandwidth management of said 

network. 

10 

111. A method according to claim 110, wherein enforcement 
decisions for selection include at least some of taking no action, performing 
auditing, outputting a transcript of said content, reducing bandwidth assigned to 
said transport, stopping said transport, reducing quality of the content, 

15 removing sensitive parts, altering the content, adding a message to said content, 
using an active bitstream interference technique, restricting bandwidth to a 
predetermined degree, not allowing printing of said content, not allowing 
photocopying of said content and not allowing saving of said content on 
portable media. 

20 

112. A method according to claim 111, wherein said 
predetermined degree is selectable from a range extending between minimal 
restriction and zero bandwidth. 
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